DNS suffix – what does it mean

The best way to show the true purpose of a DNS suffix, when and why you would need, it is through an example.

We know that any computer that joined an active directory domain will receive an additional part to the name which will compose the actually FQDN of the computer, like for example comp1.compinfopro.com. At the same time, this computer also receives the domain name as a primary DNS suffix.

Let’s say we have two domains inside an Active Directory forrest:

Forrest Root Domain: compinfopro.com

Child Domain: ro.compinfopro.com

We would of course, have some servers in each of them, but to make our example more obvious we will call one server in compinfopro.com domain as serv1.compinfopro.com – this would be the FQDN of the serv1 while a computer name in ro.compinfopro.com domain would be called PC1 with the FQDN of PC1.ro.compinfopro.com .

Now, if a user from PC1 wants to access the serv1 from root domain, he would have to type the FQDN, else he would get an error message most likely. Why?

Simple. Remember when I wrote about what happens when you join a computer to a domain, now if the user will try to access the serv1 and would call it only by name, it would append the same domain name, so the user would try to access according to his computer and DNS, a server with a FQDN of serv1.ro.compinfopro.com – which might exist or not on this domain. Depending on this, he would get an error that such a server does not exist or he would be pointed to another server different from what he wanted. However, he could reach the desired server by trying to access the full FQDN serv1.compinfopro.com which would point to the correct location he actually wanted to reach.

If you had more such cases or similar ones, of course you can’t ask all your users to type that long and boring name, so you can probably imagine there are other ways.

One other way would be to add the compinfopro.com to the DNS suffix search list on the PC1.ro.compinfopro.com computer name. After it’s done, the user can ping just by name the serv1 server, because the computer would be searching through the DNS suffix search list, until a successful reply is found.

There are cases when you could have the same server names or computer names and doing this might not be such a good idea because it might get confusing and sometimes even not help at all. For example, if you know a server name is in both domains, adding the DNS suffix won’t help much as the ping & match would stop at the default search. This search is the primary DNS suffix, the one automatically added to the computer when added to the domain, so a match with the server in the second domain would never be possible unless you use the FQDN, due to the fact that the next DNS suffixes in the list would never be looked at, if the first match (the default) is a success.

To summarize this, the DNS search order means that every time you try to resolve a hostname, the computer you are using to do this would append the DNS suffixes from the DNS search list to the hostname, until you get a successful resolution.

The DNS suffix search list can be modified by one of the two methods I will show you below. There is however another way to do this globally so you won’t have to work for each computer on your network and this is by modifying the DHCP scope settings used to provide network credentials to clients.

You will have to open the Local Area Network Connection settings with start – settings (if exists) – control panel – network connections (first network and internet connections – if you are using the category view) – double click your connection.

2. Click Properties.

Select Internet Protocol (TCP/IP) and click Properties.

4. Click Advanced.

5. Click DNS.

Now you can notice that we have this option checked called “Append primary and connection specific DNS suffixes”. We already learned that it is the default setting (primary) and adds the domain DNS suffix to any request.

Check the “Append these DNS suffixes (in order)” and use the Add button to add DNS suffixes you want to be searched. Note that this will also cancel the primary DNS suffix, so you have to add that too, and to respect the order, you would better add the ex primary DNS suffix as the first DNS suffix followed by the next one you want.

According to our example, the one below would be the next to follow in the search list.

In the end it would look something like this:

7. Click Ok and apply where needed and everything should be ok. If by mistake you type one in front of the other, you can just adjust the order by clicking the pointers in the way you want to get the DNS suffix, upper or lower:

The second one is greyed out because this DNS suffix is already the last one. You can get it in a lower search list order than it already is.

Second method of modifying DNS suffix search list – Registry Settings

This is actually the same thing because I will show you a key you have to modify in order to provide the same search list order. The first method represents the same thing with this one too, just that one is through connection settings and the other is via registry.

Why two methods ?

Simple, it also depends on the level of knowledge you got, how much you are willing to navigate between options, how many access rights you have, if you can do it remotely or not and many more. You have to pick based on what you need and what resources of those already mentioned you can use.

You should also know when you use the first method and write DNS suffixes tin that window, they will also be added to the same key in registry that I’m going to show you and backwards, when you add to the registry they will also be displayed in the window we saw at first method.

So let’s see how it is done:

Open a registry editor, you can use Windows default regedit by going to Start – Run – type “regedit” without the quotes.

By default, this should be blank as you can see in the picture above. This means you are running on default settings with primary DNS suffix being the domain DNS suffix. If you add a value here, the correspondence is that after you confirm with Ok, the same DNS suffix will also be added to the option displayed in method one, as you can see below and default settings are canceled.

When you add something here is the same thing with selecting (enable) the checkbox “Append these DNS suffixes in order”, while removing the content of this key and leaving it blank as you found is the same with selecting the original setting that says “Append Primary and Connection Specific DNS suffixes”.

Double click the SearchList key in the registry to add a new DNS suffix and type it in the Value Data textbox.

Usually when you wanna add a DNS suffix, you want to add one that is not the same with the primary one, so at least another one, which means you have to add two. To separate them use a comma, as you can see in below example and just press Ok when you are finished. Both registrations will also be found in the window from Connection Properties – Internet Protocol (TCP/IP) – DNS, in the same order you add them here. Comma in this case, in the registry editor will make it add the other DNS suffix on the next line. Same principle applies if you had more than two and you can see the comma in here as a mark for a new line in there.

Final result should look like this after you press Ok:

I hope this was clear enough and if you think there is more to uncover or you can add something, please do. I am also waiting for your questions if you have any.

13 Comments

Hi. You said the first match will finalize the search. So if there are two same PC names in different domains (parent and child) then even having the manually created name suffix (in this case two) will finalize the search on the first one, thus another machine won’t be contacted anyway. Am I wrong thinking this way?

Windows Administrator operator “TROY” is on a personal vendetta to terrorize my two laptops here on my Network, personally monitoring my laptops every log on!!! he does almost everything evil under the sun to sabotage my operating systems, changing my settings, security policies etc, no stopping him, he takes it for a big joke, from 2008, all because I told him that he was a SOCIOPATH for hacking my computers. This dude goes to extreme length with his antics to sabotage Windows OS, he is also on your smart phones, GPS, to track you on the road, your Printer/ Fax machine, all digital devices, etc. There is much, much more than meet the eyes with this dude!! INCREDIBLE!!! there seem to be no end to this dude with his persistent harassments of all these innocent computer and device owners, leaving such trails of destructions, and unstoppable!!! In your face actions, on & on!!!! Well, nothing last forever!!!

I have a domain name of JediSystems.us and the registrar is Go Daddy. I have 1 physical server in my home and I run Hyper-V to host another 3 VPS’. None of these are DC’s nor any of the DNS servers. Basically I’m wanting to host my own email and a web server. The email server is currently running an SQL instance for game server I host and I’m using hMailServer on that server since it also needs MySQL (VPS 1). The next VPS is a web server which I plan on using for the obvious, my website (VPS 2). VPS 3 is a game server for Arma 3 & Arma 2.

I do not intend on setting up a domain (and yes, I have a static IP through my ISP) in my home. So my question here is, do I need to use the Primary DNS Suffix of JediSystems.us on the Web server and SQL server (MySQL and email host) in order for DNS resolution to know where to point for my email delivery/transport and when using http://www.jedisystems.us to navigate to my webpage?